Software Development
Previous section  |  This section  |  Next section
Previous question  |  This question  |  Next question

How do I use CVS without typing my password each time?
Christopher Brooks, 9 Aug 2010
Last updated: 12 Jan 2011

To use CVS to update files without typing your password, you will need first need a CVS account, see How do I get a CVS account? and request an individual account. In the comments section be sure to state that you think you have a shared account and that you would like your account recreated as an individual account so that you do not have to type your password.

The steps below are slightly modified from the CVS SSH instructions

SSH (and therefore CVS) can use RSA and Rhosts style authentication to make it so that you can login without typing your password. Using Rhosts authentication alone is insecure, and most CVS servers (this one included) disallow it. RSA can be used with or without Rhosts authentication. Using RSA alone, any user with the appropriate RSA key and passphrase can access the repository. Using RSA and Rhosts restricts repository access to only computers listed in Rhosts that also have the appropriate RSA key.

Note that for RSA with Rhosts authentication to work, each host that you are logging in from needs to be listed in two files. If you are connecting from multiple hosts via dynamic DSL, then each time you connect, you are likely to have a different address, which makes managing the file difficult. There are several possible solutions, one is to try to use wildcards in ~/.ssh/known_hosts and ~/.shosts, the other is to run a script that updates these files automatically. Both solutions are complex and have security issues, so we do not cover them here. It is much simpler to use RSA authentication alone in this case.

RSA authentication

Once your account has been set up, do the following:

  1. Create ~/.ssh/id_rsa.pub on the local machine:
    Unix, including probably Mac OS X: If ~/.ssh/id_rsa.pub does not exist, on your local machine, then create it by running ssh-keygen -t rsa
    When prompted for a passphrase, hit return. If you type in a passphrase here, you will be prompted for that passphrase each time.
    Running ssh-keygen will generate the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, which are your private and public encryption keys respectively.
    1. Download and install PuTTY (Download the installer so that you get PuTTYgen.
    2. Invoke PuTTYgen
    3. Move the mouse around to generate randomness :-)
    4. Do not enter a passphrase, if you enter a passphrase here, you will be prompted for that passphrase each time.
    5. Click on "Save Private Key" and save the file to a location to be used by TortoiseCVS (FIXME: need more info about the location here)
    6. Click on "Save Public Key". The public key is what is should be transferred to the cvs or svn server.
    7. FIXME: need info about setting up TortoiseCVS with the PuTTY key.
  2. Create ~/.ssh/authorized_keys2 on source: Set the permission of ~/.ssh/id_rsa.pub to 0644 and then copy ~/.ssh/id_rsa.pub over to ~/.ssh/authorized_keys2 with the scp -p flag to preserve permissions.
    chmod 0644 ~/.ssh/id_rsa.pub
    scp -p ~/.ssh/id_rsa.pub yoursourcelogin@source:~/.ssh/authorized_keys2
    where yoursourcelogin is the your CVS login on source.eecs.berkeley.edu (which may be different from your website login)
  3. From the local machine, test ssh with:
    ssh yoursourcelogin@source.eecs.berkeley.edu cvs
    to check the set up.
Below is a sample run
cxh@DOPLAP03 ~
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/cygdrive/c/cxh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /cygdrive/c/cxh/.ssh/id_rsa.
Your public key has been saved in /cygdrive/c/cxh/.ssh/id_rsa.pub.
The key fingerprint is:
03:2a:8a:3b:96:93:6b:74:86:c8:ea:30:e2:c9:11:68 cxh@DOPLAP03

cxh@DOPLAP03 ~
$ chmod 0644 ~/.ssh/id_rsa.pub

cxh@DOPLAP03 ~
$ scp ~/.ssh/id_rsa.pub cxh@source.eecs.berkeley.edu:~/.ssh/authorized_keys2
The authenticity of host 'source (' can't be established.
RSA key fingerprint is 74:57:84:9b:ca:b8:44:1d:fa:f0:e3:27:29:ac:19:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'source,' (RSA) to the list of know
n hosts.
cxh@source's password:
id_rsa.pub           100% |*****************************|   222       00:00

cxh@DOPLAP03 ~
$ ssh cxh@source.eecs.berkeley.edu cvs
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    the CVS home page at http://www.cvshome.org/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html

cxh@DOPLAP03 ~
The above steps should not prompt you for your password each time you run a cvs command. There are two ways to enable yourself to not type a passphrase each time.

The first is to use only RSA authentication as described above, and give an empty passphrase. Note that this means that if someone steals your laptop and breaks into your account, they will be able to use the ssh command to get on to your Unix account. RSA authentication works with ssh1 and ss2.

The second way is to set up Rhosts RSA authentication, which currently only works with ssh1. In this case, ssh will authenticate your computer instead of you. It is somewhat safer for your computer to log in without a password because the CVS server can determine where your computer is located. Your computer can only login without a password if it also has the correct name and IP. This method is shown below.

Rhosts RSA authentication

These instructions apply to ssh1 clients, like the version of ssh that is currently shipped with cvsssh. For ssh2, see above.
  1. Setup ~/.shosts on gigasource: Create a temporary file on your local machine that contains the name of the host you will be logging in from.
    echo "myhost.eecs.berkeley.edu" > /tmp/shosts
  2. Change the permissions of the file on you local machine so that it is only readable by you. Note that you can't run chmod on the remote machine under rksh, so you need to fix the permissions before you copy the file over.
    chmod 0600 /tmp/shosts
  3. Copy the file over:
    scp /tmp/shosts gigasource:~/.shosts
    Below is a sample session
    ptolemy@myhost 4% echo "myhosts.eecs.berkeley.edu" > /tmp/shosts
    ptolemy@myhost 5% chmod 0600 /tmp/shosts
    ptolemy@myhost 6% scp /tmp/shosts gigasource:~/.shosts
    Enter passphrase for RSA key 'ptolemy@myhost.eecs.berkeley.edu': your passphrase
    ^Mshosts                    |          0 KB |   0.0 kB/s | ETA: 00:00:00 | 100%
    ptolemy@myhost 7%
  4. On your Windows machine, check to see if the file c:sshetcssh_host_key.pub exists:
    1. If it does not exist, generate host keys on your Unix machine and copy them over. Note that the ssh-keygen command that is shipped with the Windows CVS SSH package will not work, you should run ssh-keygen on a Unix host. Note that the -N below indicates that your computer will not have a passphrase.
         cd /tmp
         ssh-keygen -b 1024 -f ssh_host_key -N ''
      On Windows, you can copy the files with scp. If you use scp here, note that scp does not understand the Windows c: naming convention, it think c: is a machine named 'c'. To copy the file under bash on Windows:
         cd c:/ssh/etc
         scp yourunixmachine:/tmp/ssh_host_key.pub .
         scp yourunixmachine:/tmp/ssh_host_key .
      On the Unix machine, remove /tmp/ssh_host_key
    2. If c:/etc/ssh/ssh_host_key.pub exists on your Windows machine, copy it to a temporary file on the Unix machine:
              cd c:/ssh/etc
              scp ssh_host_key.pub yourunixmachine:/tmp
  5. Set up ~/.ssh/known_hosts on gigasource: On gigasource, ~/.ssh/known_hosts lists hosts that are allowed to connect without a password. Since we can't edit files on gigasource from the restricted shell, we create the file on the local machine and copy it over to gigascale.
    Note that if you are connecting from multiple machines, you will need to add a line to this file for each machine you are connecting from. The easiest way to do this is to use scp to transfer the file to a local machine, edit the file locally and then scp it back to gigasource.
    1. Grab the contents of the copy of ssh_host_key.pub that you either generated or copied over, and create a temporary file
    2. Add the fully qualified domain name of the windows machine to the beginning of the line. You should end up with something like
      maury.eecs.berkeley.edu 1024 17 27348124368712489214987214872164987243
      Where the last number is several lines long.
    3. Copy the file:
      scp /tmp/known_hosts source:~/.ssh/known_hosts
  6. From the local machine, test ssh with:
    ssh -v source cvs
    you should not have to type in your password.

Troubleshooting CVS SSH under NT

  1. Run
    ssh -v yourunixmachine cvs
    and check the output, which should look like:
    ptolemy@carson 8% ssh -v source cvs
    SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
    Standard version.  Does not use RSAREF.
    carson.eecs.berkeley.edu: Reading configuration data /etc/ssh_config
    carson.eecs.berkeley.edu: ssh_connect: getuid 4035 geteuid 0 anon 0
    carson.eecs.berkeley.edu: Connecting to gigasource [] port 22.
    carson.eecs.berkeley.edu: Allocated local port 1021.
    carson.eecs.berkeley.edu: Connection established.
    carson.eecs.berkeley.edu: Remote protocol version 1.5, remote software version 
    carson.eecs.berkeley.edu: Waiting for server public key.
    carson.eecs.berkeley.edu: Received server public key (768 bits) and host key (1
    024 bits).
    carson.eecs.berkeley.edu: Host 'gigasource' is known and matches the host key.
    carson.eecs.berkeley.edu: Initializing random; seed file /users/ptolemy/.ssh/ra
    carson.eecs.berkeley.edu: Encryption type: idea
    carson.eecs.berkeley.edu: Sent encrypted session key.
    carson.eecs.berkeley.edu: Installing crc compensation attack detector.
    carson.eecs.berkeley.edu: Received encrypted confirmation.
    carson.eecs.berkeley.edu: Trying rhosts or /etc/hosts.equiv with RSA host authe
    carson.eecs.berkeley.edu: Remote: Accepted by .shosts.
    carson.eecs.berkeley.edu: Remote: Your host key cannot be verified: unknown or 
    invalid host key.
    carson.eecs.berkeley.edu: Remote: The host name used to check the key was 'cars
    carson.eecs.berkeley.edu: Remote: Try logging back from the server machine with
     the canonical host name using ssh, and then try again.
    carson.eecs.berkeley.edu: Server refused our rhosts authentication or host key.
    carson.eecs.berkeley.edu: No agent.
    carson.eecs.berkeley.edu: Trying RSA authentication with key 'ptolemy@maury.eec
    carson.eecs.berkeley.edu: Received RSA challenge from server.
    carson.eecs.berkeley.edu: Bad passphrase supplied for key file /users/ptolemy/.
    Enter passphrase for RSA key 'ptolemy@maury.eecs.berkeley.edu': your CVS passphrase
    carson.eecs.berkeley.edu: Sending response to host key RSA challenge.
    carson.eecs.berkeley.edu: Remote: RSA authentication accepted.
    carson.eecs.berkeley.edu: RSA authentication accepted by server.
    carson.eecs.berkeley.edu: Requesting X11 forwarding with authentication spoofin
    carson.eecs.berkeley.edu: Sending command: cvs
    carson.eecs.berkeley.edu: Entering interactive session.
    Usage: cvs [cvs-options] command [command-options-and-arguments]
      where cvs-options are -q, -n, etc.
        (specify --help-options for a list of options)
      where command is add, admin, etc.
        (specify --help-commands for a list of commands
         or --help-synonyms for a list of command synonyms)
      where command-options-and-arguments depend on the specific command
        (specify -H followed by a command name for command-specific help)
      Specify --help to receive this message
    The Concurrent Versions System (CVS) is a tool for version control.
    For CVS updates and additional information, see
        Cyclic Software at http://www.cyclic.com/ or
        Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html
    carson.eecs.berkeley.edu: Transferred: stdin 0, stdout 716, stderr 0 bytes in 0
    .1 seconds
    carson.eecs.berkeley.edu: Bytes per second: stdin 0.0, stdout 12490.8, stderr 0
    carson.eecs.berkeley.edu: Exit status 1
    ptolemy@carson 9%
  2. Check the value of the CVSROOT environment variable. It should be something like: :ext:myhost.eecs.berkeley.edu:/users/cvs/Repository
  3. Be sure that you have created a key on the Unix side and copied the identity* files from Unix to NT
  4. Be sure that $HOME is set for your NT account
  5. Try using the ssh.exe binary that the $CVS_RSH variable refers to. Below is an example where we rsh over to carson and get the date:
         bash-2.02$ echo $CVS_RSH
         D:Program FilesPtolemyCVS SSHssh.exe
         bash-2.02$ /Program Files/Ptolemy/CVS SSH/ssh carson date
         Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
         ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10
         Thu Feb  4 15:35:06 PST 1999
    Below is an example that failed because of an incorrect CVS password, note that the password is prompted for twice:
         bash-2.02$ /Program Files/Ptolemy/CVS SSH/ssh carson date
         Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
         Bad passphrase.
         Permission denied.
  6. Verify that you can use ssh to connect between two Unix boxes.
  7. Check ssh_config. RSAAuthentication and/or RhostsRSAAuthentication must be turned on. One way to do this locally is by having an /Program Files/Ptolemy/CVS SSH/ssh_config file that looks like:
    Host *
            RSAAuthentication yes
            RhostsRSAAuthentication yes
  8. Reboot NT.
Previous section  |  This section  |  Next section
Previous question  |  This question  |  Next question
©2002-2018 Chess